isolation: Only drop a few strategic environment variables

Closes: ostreedev#582
cgwalters · Jan 17, 2024 · 263cd73 · 263cd73
1 parent 59f6a27
commit 263cd73
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/src/isolation.rs b/lib/src/isolation.rs
@@ -28,10 +28,14 @@ pub(crate) fn unprivileged_subprocess(binary: &str, user: &str) -> Command {
         return Command::new(binary);
     }
     let mut cmd = Command::new("setpriv");
+    // Clear some strategic environment variables that may cause the containers/image stack
+    // to look in the wrong places for things.
+    cmd.env_remove("HOME");
+    cmd.env_remove("XDG_DATA_DIR");
+    cmd.env_remove("USER");
     cmd.args([
         "--no-new-privs",
         "--init-groups",
-        "--reset-env",
         "--reuid",
         user,
         "--bounding-set",